1. Field of the Invention
Embodiments relate to a behavior-based malicious code detection apparatus and method using a multiple feature vector, and more particularly, to an apparatus and method for generating a feature vector based on characteristic factor information collected when a process is executed and verifying whether a malicious code of the process is included using the generated feature vector.
2. Description of the Related Art
Mostly, related malicious code detecting and processing technology verifies that a predetermined binary pattern is a malicious code when the predetermined binary pattern is present in a process or a file subjected to a malicious code test. Thus, binary pattern data of a malicious code needs to be managed by registering a predetermined binary pattern of the corresponding malicious code whenever the malicious code is detected.
Thus, the malicious code detection based on a binary pattern may guarantee a high detection rate and a fast detection time for a malicious code of which a binary pattern is managed. However, it is not possible to detect an unknown malicious code and a changed malicious code.
There is behavior-based malicious code detecting technology in addition to binary pattern-based malicious code detecting technology. The behavior-based malicious code detecting technology may define a behavior rule in advance, and verify a file or a process as including a malicious code when a pre-defined behavior rule exists in the file or the process.
Related behavior-based malicious code detecting technology may collect related information on a network or a personal computer (PC) of a user for the purpose of applying the defined rule. Thus, additional related information may need to be collected whenever a new rule is generated, and a correlation between a running process and a stored file may be unknown.